Patch management not updating

Tjernigan
New Contributor III

Hi all, I have been getting a headache with patch management. I have tried to update adobe acrobat reader, and google chrome on two different machines. I have downloaded the recent update from the 3rd party site as well as from jamf's 3rd party product site. I click the patch in self service and I either get "error" or "finished" but upon inspect the version, it failed to update and the patch reappears in self service acknowledging the out of date software.

I called jamf support and they told me they weren't able to help at the moment and opened a case. Has anyone else experienced this? And can someone please help??

1 ACCEPTED SOLUTION

Tjernigan
New Contributor III

So after 3 days of email with jamf support, their solution was to install the software locally and repackage it in composer. They said that the file being a dmg was the issue as there is no direction for the install. I was able to get this to work most of the time and find scripts to update other applications locally on the machine. Kind of a half hazard solution but at least I am getting my software updated.

View solution in original post

40 REPLIES 40

JasonAtCSUMB
Contributor

I use Patch Management for smart groups reporting, but not actually installing patches, so I can't say I have seen the same problem you're describing. However, I am having the problem of patch report not showing any recent data. I added a few titles yesterday, but today (after forcing inventory scans) there are no computers in the patch report.

naya
New Contributor II

Same for me too, the definitions stopped showing the latest versions. Have opened a support ticket.

rlandgraf
Contributor

We are having a similar issue, our JAMF support engineer believes it has to do with PI-007715. We have not been able to run the fix as it requires taking down the JSS and running some DB commands. But you may want to reach out to JAMF support and reference that PI number.

Marcchapman
New Contributor II

Not sure if this is linked but we have had an issue where patch policies are scoped to a smart group but even when the deadline to update is hit and has passed the applications don't force the update.

Tjernigan
New Contributor III

So after 3 days of email with jamf support, their solution was to install the software locally and repackage it in composer. They said that the file being a dmg was the issue as there is no direction for the install. I was able to get this to work most of the time and find scripts to update other applications locally on the machine. Kind of a half hazard solution but at least I am getting my software updated.

petert
New Contributor

Under Settings > Computer Management > Patch Management there is a listing of the "Patch Internal Source" server (https://jamf-patch.jamfcloud.com/v1/). It doesn't answer on ping. Anyone else get the same result?

Zimmerman
New Contributor

I have the same settings and do get a ping back, however my patches are not deploying

PCSysops
New Contributor II

Same, looks like my patch management section hasn't updated since mid January. I am awaiting to hear back on my support case.

tomt
Valued Contributor

I'm deploying the latest Reader update using a Patch Policy. Based on a smart group there are about 60% of machines that have been patched. However, the Patch Management total has been stuck at 4% for a few days now. We are on Jamf Cloud.

mleefit
New Contributor

I'm looking to use Jamf Pro's patch management and cannot for the life of me get it to complete a patch of Adobe Acrobat Reader DC on my machine as a test.
I've followed the instructions to a T. Given the posts above there are issues at the moment?
I'm going to give the work around a try above where someone had to repackage the .dmg.
All I get is installation error. That's it, no specifics.

Update: I extracted the .pkg and tried that, and it worked for Adobe Acrobat Reader DC. So am I to assume .pkg is the preferred package over .dmg?

tomt
Valued Contributor

Just to follow up on my previous post, Jamf Support was able to resolve the issue with my policy numbers not updating. Don't know exactly what they did, but it worked. :)

sleblanc
New Contributor

I'm having the same issue: no new patches since December.

jmahlman
Valued Contributor

Out patch titles are updating but the counts are not going up even after patched.

jchin-ro
New Contributor III

Similar issue here. Our Patch Management is not reflecting the actual versions of the applications installed. Our latest Google Chrome is showing up in Patch Management with the last version available there; meanwhile it is 4-5 versions behind the actual latest version from Google. The same thing is happening with Zoom Meetings Client, where users have version 5.0.x installed but it shows in Patch Management as the last version 4.x.

shaquir
Contributor III

support@jamf.com was able to get this resolved for me quite quickly in March. This was a known issue, and they were able to patch patch management after hours.

pvcit
New Contributor III

Happened to us too, Jamf had to patch our database. Known issue and has not been fixed in over 6+ months. You can tell Jamf really cares about their patch management...LOL.

jchin-ro
New Contributor III

Is this normal (getting a 404 error) when you navigate to https://jamf-patch.jamfcloud.com/v1/ ?

5cd12f7e5c0a46518a6d11ff1748dcf2

jchin-ro
New Contributor III

Looks like JAMF did some maintenance this morning
Jamf Maintenance - JAMF Pro - Standard: 10.21 Upgrade for us-west-2 - 9 May 2020
and it magically resolved our Patch Management issue.

jchin-ro
New Contributor III

(delete - duplicate)

jchin-ro
New Contributor III

(delete - duplicate)

Espaay
New Contributor III

We are using JAMF PRO 10.24 in the cloud is set.
Under Settings > Computer Management > Patch Management there is a listing of the "Patch Internal Source" server (https://jamf-patch.jamfcloud.com/v1/.
However on the macOS Catalina from home on internet not VPN, went to terminal.app ran ping on jamf-patch.jamfcloud.com results "PING std-legacyurl-def-.us-east-1.elb.amazonaws.com. Request timeout for icmp_seq zero to 14 and then I ended it. Why is this timing out.

metalfoot77
Contributor II

Having a similar issue, just updated a bunch of packages in composer and patch management is just sitting with them and not seemingly updating anything. Any word on this from anyone?

tomt
Valued Contributor

My Firefox patch reporting has not moved in a week. I tried using a Patch Policy and it did nothing. I've used a standard policy and updates are going out normally but the Patch Reporting does not reflect any changes.

It's just broken.

smcmjeff
New Contributor III

Same here. Jamf Pro 10.25 (Cloud). I put in a ticket a couple of weeks ago because patch versions were not displaying the latest versions (no notifications either). This would not allow me to upload the latest patch definition for Chrome. Jamf support noticed a "Known issue on the server PI-007715) that would be causing the patch versions to be behind". They scheduled maintenance for that night and the problem appeared to be resolved. That was Oct. 15 2020. Now I am experiencing the same issue as others. I released a Zoom update to 5.4.0 yesterday. It worked on two machines (used for testing) however, when I added "All Managed Clients" nothing has happened. Patch set to install automatically, with a 120 minute delay if the program is open. No other computers have patched. I can see that this is also happening with Chrome, albeit with fewer machines, because I released the 86.0.4240.111 patch a while back, and the problem started over the past few days. I created a new patch policy for Zoom, but it did not help. This has worked fine for a long time.
Also has anyone notice that the log files for the patch policies don't say whether the patch policy completed or failed. Maybe I am missing something. I am putting in a support ticket right now.

Espaay
New Contributor III

still nothing; see screenshot, we need assistance. cc0e87be4c8140458dfca7ab21fb634e

T_Armstrong
Contributor

For everyone posting in this thread, do you have an open case with Jamf support?

I do, and they are actively working on it, but have said that there appears to be more than one cause, so I highly recommend opening a ticket if you haven't already.

Espaay
New Contributor III

Yes, always open a ticket 1st.

Rokas
New Contributor III

Opened a case on this also :)

Jason33
Contributor III

Opened a ticket yesterday afternoon, resolved overnight. Software versions are updating, and my email notifications are working again.

tomt
Valued Contributor

They have a workaround that can be done overnight. I've had the issue 3 or 4 times over the last six months.

Rokas
New Contributor III

Didn't fix for me :)

Tjernigan
New Contributor III

For those having this problem with Chrome and Firefox, There are plenty of scripts that check for versions and update automatically. These browsers are some of the easiest to keep up to date with scripts as apposed to a pain in the ass like Zoom. I suggest you search either the 3rd party software page or discussions for scripts to update these two rather than patch management.

thomas_moser
New Contributor III

Hi, is patch management still working?
Skype for Business 16.29.41 is out for about 2 weeks,
Symantec Endpoint Protection 14.3.3384.1000 is out for over a month... But Patch Management still shows the old versions.

Edge is still not integrated even many want it to (and most of Microsoft apps are already working fine).
Vote up for Edge to get integrated in patch management: https://www.jamf.com/jamf-nation/feature-requests/9140/microsoft-edge-patch-management-policy

Rokas
New Contributor III

It broke for me again, was working for a while raise a support case once more. @Tjernigan our security team is using patch management for reporting as it displays information in very user friendly way, but then it lies I'm starting to get a lot of questions why devices are out of date then they aren't really :)

cleader
New Contributor

@thomas.moser

I'm having the exact same issue and have opened a case. Please open a case if you haven't already.

Restarting Tomcat will quickly update the patch catalog but then it just stops updating again.

JKingsnorth
Contributor

We've been having this same issue on and off for months now. Started again today. Everything is showing fully updated on the Policy tab but on the Report tab its a 0% for multiple Apps. Chrome doesn't even show the latest patch to pick from in the definition tab.

This is getting really old having to open a ticket every couple weeks just to get it working again for Cloud accounts.

tomt
Valued Contributor

Yeah, at the moment I'm seeing that the Chrome version has not updated in my Patch reporting. Not sure yet if I should reopen my never-ending ticket about Patch Management not updating or if someone is just having a Monday and forgot to update it.

Edit: Looks like it was someone just forgetting to update the Chrome definition as it now appears correctly.

beemanaged
New Contributor II

I have been trying to use the Firefox patch management and it's not working. The extension attribute script looks different from the original one. I noticed the new script doesn't actually return any value in Jamf Pro. When I run the script in Terminal it prints out pipes around the version which I've noticed my working scripts do not have.

#!/bin/sh
#######################################################
# A script to collect the Version of Mozilla Firefox. #
#######################################################

PATH_EXPR=/Applications/*/Contents/*/application.ini
RELEASE="mozilla-release"
BUNDLE_ID="org.mozilla.firefox"
KEY="CFBundleShortVersionString"

RESULTS=()
IFS=$'
'
for APP_INI in $(/usr/bin/grep -l "${RELEASE}" ${PATH_EXPR} 2>/dev/null); do
    PLIST="$(/usr/bin/dirname "${APP_INI}")/../Info.plist"
    if [ "$(/usr/bin/defaults read "${PLIST}" CFBundleIdentifier 2>/dev/null)" == "${BUNDLE_ID}" ]; then
        RESULTS+=($(/usr/bin/defaults read "${PLIST}" "${KEY}" 2>/dev/null))
    fi
done
unset IFS

if [ ${#RESULTS[@]} -eq 0 ]; then
    /bin/echo "<result></result>"
else
    IFS="|"
    /bin/echo "<result>|${RESULTS[*]}|</result>"
    unset IFS
fi

exit 0

The original script

#!/usr/bin/env bash

##############################################################################
#Script is designed to return the 'version number' of Mozilla Firefox.       #
#Locates the the installed firefox application verifies 'release'            #
#before returning 'version number' or 'not installed'                        #
##############################################################################
RESULT="Not Installed"

for i in /Applications/Firefox*.app; do
  /usr/bin/grep mozilla-release "$i"/Contents/Resources/application.ini
  if [[ $? -eq 0 ]]; then
    RESULT=$(/usr/bin/defaults read "$i"/Contents/Info.plist CFBundleShortVersionString)
  fi
done
/bin/echo "<result>$RESULT</result>"

32e43dd84a6e4b7cb448d5f5962a11f8
Attached screen shot of result in terminal. Could this be part of the issue? I'm not familiar with Inline Field Separators.

Tjernigan
New Contributor III

@tomt Here try using this script. It is much easier than just trying to go through patch managment all the time with how many updates google sends out.

!/bin/sh

dmgfile="googlechrome.dmg"
volname="Google Chrome"
logfile="/Library/Logs/GoogleChromeInstallScript.log"

url='https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg'

/bin/echo "--" >> ${logfile}
/bin/echo "date: Downloading latest version." >> ${logfile}
/usr/bin/curl -s -o /tmp/${dmgfile} ${url}
/bin/echo "date: Mounting installer disk image." >> ${logfile}
/usr/bin/hdiutil attach /tmp/${dmgfile} -nobrowse -quiet
/bin/echo "date: Installing..." >> ${logfile}
ditto -rsrc "/Volumes/${volname}/Google Chrome.app" "/Applications/Google Chrome.app"
/bin/sleep 10
/bin/echo "date: Unmounting installer disk image." >> ${logfile}
/usr/bin/hdiutil detach $(/bin/df | /usr/bin/grep "${volname}" | awk '{print $1}') -quiet
/bin/sleep 10
/bin/echo "date: Deleting disk image." >> ${logfile}
/bin/rm /tmp/"${dmgfile}"

exit 0